fex* war malware

[David Tyler <ic...@yahoo.com>]

I have encountered this in September 2008.  Here is what I have found:

1)  There are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell

2)  It appears to be distributed using an automated scanner that looks for the manager app running on Tomcat port 8080 with the default password still intact: admin / admin

3)  The code deploys a webapp to Tomcat that:
a)  Checks if the OS is windows.  If not it terminates.
b)  If it is windows... then some variants immediately download and execute a binary from one of several possible servers.  The binary presumably contains further malware.
c)  Other variants apparently wait to be invoked again by an external host that will provide the URL of a binary to download and execute.

THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP PASSWORD.  Or you could delete the manager webapp.

The manager username / password is set in: tomcat/conf/tomcat-users.xml


      

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: fex* war malware

[Mark Thomas <ma...@apache.org>]

David Tyler wrote:
> I have encountered this in September 2008.  Here is what I have found:
> 
> 1)  There are several variants such as: fexcep OR fexcepkillshell OR fexcepshell OR fexcepspshell OR fexception OR fexshell OR fexsshell
> 
> 2)  It appears to be distributed using an automated scanner that looks for the manager app running on Tomcat port 8080 with the default password still intact: admin / admin
> 
> 3)  The code deploys a webapp to Tomcat that:
> a)  Checks if the OS is windows.  If not it terminates.
> b)  If it is windows... then some variants immediately download and execute a binary from one of several possible servers.  The binary presumably contains further malware.
> c)  Other variants apparently wait to be invoked again by an external host that will provide the URL of a binary to download and execute.
> 
> THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT MANAGER APP PASSWORD.  Or you could delete the manager webapp.
> 
> The manager username / password is set in: tomcat/conf/tomcat-users.xml

David,

To repeat what I wrote on the dev list:

You appear to be mis-informed. There is no default Tomcat password.

The Tomcat binary distributions are already constructed as you are
suggesting and have been that way for as long as I can remember.

With the zip/tar install, the user has to manually edit tomcat-users.xml.
The user must also add the manager role to one of the users. In 6.0.x  the
user must also create a user as none are defined by default. None of the
default users is named admin.

With the Windows installer, an admin user is created but there is no
default password. The user must specify their own.

I am extremely interested to find out where you obtained your Tomcat
installations from as it could not have been an official Apache
distribution. Please let us know where you sourced them from so we can warn
the Tomcat user community to avoid them.

Kind regards,

Mark



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: fex* war malware

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: David Tyler [mailto:ic547@yahoo.com]
> Subject: fex* war malware
>
> THE SAFEGUARD AGAINST THIS IS TO CHANGE THE DEFAULT TOMCAT
> MANAGER APP PASSWORD.

That would be tricky, since, by default, there is no manager app password or even role in conf/tomcat-users.xml; out of the box, the manager app is disabled. Also, as is stated in the documentation, the tomcat-users.xml mechanism should not be used in production.

Want to try again?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org